[strongSwan] (no subject)

Alexander Lyakas alex.bolshoy at gmail.com
Thu Mar 1 10:02:36 CET 2012 

Greetings everybody,
I am trying to setup a basic client-to-server secured connection with
ESP in transport mode. The server is ubuntu-natty 2.6.38-8 with stock
strongswan package 4.5.0. The server is using pre-shared keys. On the
server I am using IKEv1 only at this point. The client is a Win7 box.
It is configured using Windows Firewall Advanced Snap-In to always
require encryption.

Everything seems to work more or less as expected. However, when the
IPSec SA is established, in Win7 IP Security Monitor, I see that "ESP
confidentiality" is "None". When running "setkey -D" on the Linux box
I can see the encryption is enabled on the SAs:

root at vc-0-0-10-03--109-dev:~# setkey -D
172.16.0.158 172.16.4.10
       esp mode=transport spi=1217668046(0x489423ce) reqid=16392(0x00004008)
       E: aes-cbc  58ebcc39 10ecd799 6c784631 261cbeda
       A: hmac-sha1  a0819356 2c08386c c7cb56cc caba9da2 0e7f04e5
       seq=0x00000000 replay=32 flags=0x00000000 state=mature
       created: Feb 16 12:41:36 2012   current: Feb 16 12:41:41 2012
       diff: 5(s)      hard: 0(s)      soft: 0(s)
       last: Feb 16 12:41:39 2012      hard: 0(s)      soft: 0(s)
       current: 52(bytes)      hard: 0(bytes)  soft: 0(bytes)
       allocated: 2    hard: 0 soft: 0
       sadb_seq=1 pid=1790 refcnt=0
172.16.4.10 172.16.0.158
       esp mode=transport spi=3274301888(0xc329e1c0) reqid=16392(0x00004008)
       E: aes-cbc  c915c917 26a25072 02d0d950 05f2d31d
       A: hmac-sha1  1bb2124c 52265cc0 263098f2 c2cd2880 e3fefbfd
       seq=0x00000000 replay=32 flags=0x00000000 state=mature
       created: Feb 16 12:41:36 2012   current: Feb 16 12:41:41 2012
       diff: 5(s)      hard: 0(s)      soft: 0(s)
       last: Feb 16 12:41:36 2012      hard: 0(s)      soft: 0(s)
       current: 244(bytes)     hard: 0(bytes)  soft: 0(bytes)
       allocated: 4    hard: 0 soft: 0
       sadb_seq=0 pid=1790 refcnt=0

How can I verify that encryption is really effective? I was trying to
use Wireshark to capture the traffic, and indeed I see ESP packets
there, but still not sure at this point.
I am also posting my server ipsec.conf, please let me know if it makes sense.
Thanks!

config setup
	charonstart=no
	plutostart=yes
	strictcrlpolicy=no
	uniqueids=yes
	crlcheckinterval=0s
	nocrsend=no
	plutodebug="control lifecycle dns oppo controlmore natt"
	postpluto=
	prepluto=

conn client
	auth=esp
	authby=psk # rsasig, for IKEv2 use leftauth
	auto=start # We need to start all connections, for those peers that
don't support DPD
	dpdaction=clear # For those peers that support DPD, we expect them to
reconnect, so we drop their connections
	dpddelay=30s
	dpdtimeout=30s # IKEv1 only
	esp=aes128-sha1 # Add more as needed
	ike=aes128-sha1-modp1024 # Add more as needed
	ikelifetime=3h
	installpolicy=yes
	keyexchange=ikev1 # (for outgoing connection only)
	keyingtries=1 # We should not retry, the client should
	lifetime=1h
	margintime=9m
	pfs=no
	pfsgroup= # For IKEv1 only
	reauth=yes # Relevant only for IKEv2
	rekey=no # Do not initiate rekeying
	type=transport
	# LEFT server
	left=172.16.0.158
	leftallowany=no
	leftauth= # For IKEv2 only
	leftprotoport=tcp
	# RIGHT - client
	right=172.16.4.10
	rightallowany=no
	rightauth= # For IKEv2 only
	rightprotoport=tcp

More information about the Users mailing list